onContinuePostLogin: The session token is invalid: Unexpected token payload type


I’m working on Post Login action that uses a redirect and then tries to access some data from an external website.

when calling validateToken I’m getting an error (“The session token is invalid: Unexpected token payload type”) and I don’t know exactly what the problem is.

The token I’m returning looks like this:

  "state": "hKF***",
  "favorite_color": "blue",
  "iat": 1660555965,
  "sub": "auth0|***",
  "iss": "***.azurewebsites.net",
  "exp": 1660556025

I’m signing the token with HS256 and a shared key both known to the action and the external service.

1 Like

Hi @felix.seidl,

Welcome to the Auth0 Community!

How are you creating the token? Can you give us a code snippet of your action?

Also have you tried checking your token with jwt.io to see if it is valid?

Let me know,

Hi @dan.woda,

Thanks for reaching out.

I’m using the ‘jose’ npm package to create the token on on the external site:

const secret = new TextEncoder().encode(shared_secret);
const jwt = await new jose.SignJWT({ state: stateParameter, favorite_color: "blue" }) // some dummy value
    .setProtectedHeader({ alg: 'HS256' })

the redirect back to auth0:



const payload = api.redirect.validateToken({
      secret: event.secrets.sharedsecret,
      tokenParameterName: "token",

I have checked the token on jwt.io but saw no problems.

Can you share (or DM) an example of the payload? This error suggests the payload is malformed.

I can reproduce this error with the payload from the example (favorite_color: "blue")

1 Like

I also receive this same error, using the same code as above. I verified it on jwt.io as well. Any help here? The error message isn’t giving back any additional context.